From 637d50ad9140fb06b674bacc02172ce573491bb0 Mon Sep 17 00:00:00 2001 From: fuero Date: Wed, 11 Sep 2019 14:13:08 +0200 Subject: [PATCH] initial package --- .../rpm/dns-over-https-2.1.2-systemd.patch | 36 +++ contrib/rpm/doh.spec | 240 ++++++++++++++++++ contrib/rpm/doh_client.fc | 2 + contrib/rpm/doh_client.if | 103 ++++++++ contrib/rpm/doh_client.te | 49 ++++ contrib/rpm/doh_server.fc | 2 + contrib/rpm/doh_server.if | 122 +++++++++ contrib/rpm/doh_server.te | 42 +++ 8 files changed, 596 insertions(+) create mode 100644 contrib/rpm/dns-over-https-2.1.2-systemd.patch create mode 100644 contrib/rpm/doh.spec create mode 100644 contrib/rpm/doh_client.fc create mode 100644 contrib/rpm/doh_client.if create mode 100644 contrib/rpm/doh_client.te create mode 100644 contrib/rpm/doh_server.fc create mode 100644 contrib/rpm/doh_server.if create mode 100644 contrib/rpm/doh_server.te diff --git a/contrib/rpm/dns-over-https-2.1.2-systemd.patch b/contrib/rpm/dns-over-https-2.1.2-systemd.patch new file mode 100644 index 0000000..36ddab0 --- /dev/null +++ b/contrib/rpm/dns-over-https-2.1.2-systemd.patch @@ -0,0 +1,36 @@ +diff -Naur dns-over-https-2.1.2.org/systemd/doh-client.service dns-over-https-2.1.2/systemd/doh-client.service +--- dns-over-https-2.1.2.org/systemd/doh-client.service 2019-09-10 12:08:35.177574074 +0200 ++++ dns-over-https-2.1.2/systemd/doh-client.service 2019-09-10 12:10:05.473700374 +0200 +@@ -7,12 +7,12 @@ + + [Service] + AmbientCapabilities=CAP_NET_BIND_SERVICE +-ExecStart=/usr/local/bin/doh-client -conf /etc/dns-over-https/doh-client.conf ++ExecStart=/usr/bin/doh-client -conf /etc/dns-over-https/doh-client.conf + LimitNOFILE=1048576 + Restart=always + RestartSec=3 + Type=simple +-User=nobody ++User=doh-client + + [Install] + WantedBy=multi-user.target +diff -Naur dns-over-https-2.1.2.org/systemd/doh-server.service dns-over-https-2.1.2/systemd/doh-server.service +--- dns-over-https-2.1.2.org/systemd/doh-server.service 2019-09-10 12:08:35.177574074 +0200 ++++ dns-over-https-2.1.2/systemd/doh-server.service 2019-09-10 12:10:20.980273992 +0200 +@@ -5,12 +5,12 @@ + + [Service] + AmbientCapabilities=CAP_NET_BIND_SERVICE +-ExecStart=/usr/local/bin/doh-server -conf /etc/dns-over-https/doh-server.conf ++ExecStart=/usr/bin/doh-server -conf /etc/dns-over-https/doh-server.conf + LimitNOFILE=1048576 + Restart=always + RestartSec=3 + Type=simple +-User=nobody ++User=doh-server + + [Install] + WantedBy=multi-user.target diff --git a/contrib/rpm/doh.spec b/contrib/rpm/doh.spec new file mode 100644 index 0000000..e3dfbcb --- /dev/null +++ b/contrib/rpm/doh.spec @@ -0,0 +1,240 @@ +# vim: tabstop=4 shiftwidth=4 expandtab +%global _hardened_build 1 +# Debug package is empty anyway +%define debug_package %{nil} + +%global _release 1 +%global provider github +%global provider_tld com +%global project m13253 +%global repo dns-over-https +%global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo} +%global import_path %{provider_prefix} + +#define commit 984df34ca7b45897ecb5871791e398cc160a4b93 + +%if 0%{?commit:1} +%define shortcommit %(c=%{commit}; echo ${c:0:7}) +%define _date %(date +'%%Y%%m%%dT%%H%%M%%S') +%endif + +%define rand_id %(head -c20 /dev/urandom|od -An -tx1|tr -d '[[:space:]]') + +%if ! 0%{?gobuild:1} +%define gobuild(o:) go build -ldflags "${LDFLAGS:-} -B 0x%{rand_id}" -a -v -x %{?**}; +%endif + +%if ! 0%{?gotest:1} +%define gotest() go test -ldflags "${LDFLAGS:-}" %{?**} +%endif + +Name: %{repo} +Version: 2.1.2 +%if 0%{?commit:1} +Release: %{_release}.git%{shortcommit}.%{_date}%{?dist} +Source0: https://%{import_path}/archive/%{commit}.tar.gz +%else +Release: %{_release}%{?dist} +Source0: https://%{import_path}/archive/v%{version}.tar.gz +%endif +Patch0: %{name}-%{version}-systemd.patch + +Summary: High performance DNS over HTTPS client & server +License: MIT +URL: https://github.com/m13253/dns-over-https + + +# e.g. el6 has ppc64 arch without gcc-go, so EA tag is required +# If go_compiler is not set to 1, there is no virtual provide. Use golang instead. +#BuildRequires: %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang} >= 1.10 +BuildRequires: golang >= 1.10 +BuildRequires: systemd +BuildRequires: upx + +%description +%{summary} + +%package common +BuildArch: noarch +Summary: %{summary} - common files + +%description common +%{summary} + +%package server +ExclusiveArch: %{?go_arches:%{go_arches}}%{!?go_arches:%{ix86} x86_64 %{arm}} +Summary: %{summary} - Server +Requires(pre): shadow-utils +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd + +%description server +%{summary} + +%package client +ExclusiveArch: %{?go_arches:%{go_arches}}%{!?go_arches:%{ix86} x86_64 %{arm}} +Summary: %{summary} - Client +Requires(pre): shadow-utils +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd + +%description client +%{summary} + +%package selinux +BuildArch: noarch + +Source3: doh_server.fc +Source4: doh_server.if +Source5: doh_server.te +Source6: doh_client.fc +Source7: doh_client.if +Source8: doh_client.te + +BuildRequires: selinux-policy +BuildRequires: selinux-policy-devel +Requires: %{name} + +Requires(post): policycoreutils +Requires(post): policycoreutils-python +Requires(postun): policycoreutils + +Summary: SELinux policy for %{name} + +%description selinux +%summary + +%prep +%if 0%{?commit:1} +%autosetup -n %{name}-%{commit} -p1 +%else +%autosetup -n %{name}-%{version} -p1 +%endif + +mkdir -p selinux +cp %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE7} %{SOURCE8} selinux + +%build +cd selinux +make -f /usr/share/selinux/devel/Makefile doh_server.pp doh_client.pp || exit +cd - + +%set_build_flags +%make_build \ + PREFIX=%{_prefix} \ + GOBUILD="go build -ldflags \"-s -w -B 0x%{rand_id}\" -a -v -x" + +%install +%make_install \ + PREFIX=%{_prefix} +install -Dpm 0600 selinux/doh_server.pp %{buildroot}%{_datadir}/selinux/packages/doh_server.pp +install -Dpm 0644 selinux/doh_server.if %{buildroot}%{_datadir}/selinux/devel/include/contrib/doh_server.if +install -Dpm 0600 selinux/doh_client.pp %{buildroot}%{_datadir}/selinux/packages/doh_client.pp +install -Dpm 0644 selinux/doh_client.if %{buildroot}%{_datadir}/selinux/devel/include/contrib/doh_client.if + +mkdir -p %{buildroot}%{_docdir}/%{name} +mv %{buildroot}%{_sysconfdir}/%{name}/*.example %{buildroot}%{_docdir}/%{name} + +mkdir -p %{buildroot}%{_libdir} +mv %{buildroot}%{_sysconfdir}/NetworkManager %{buildroot}%{_libdir}/ + +for i in $(find %{_buildroot}%{_bindir} -type f) +do + upx $i +done + +%files common +%license LICENSE +%doc Changelog.md Readme.md + +%files server +%{_libdir}/NetworkManager/dispatcher.d/doh-server +%{_docdir}/%{name}/doh-server.conf.example +%config(noreplace) %{_sysconfdir}/%{name}/doh-server.conf +%{_bindir}/doh-server +%{_unitdir}/doh-server.service + +%files client +%{_libdir}/NetworkManager/dispatcher.d/doh-client +%{_docdir}/%{name}/doh-client.conf.example +%config(noreplace) %{_sysconfdir}/%{name}/doh-client.conf +%{_bindir}/doh-client +%{_unitdir}/doh-client.service + +%pre server +test -d %{_sharedstatedir}/home || mkdir -p %{_sharedstatedir}/home +getent group doh-server > /dev/null || groupadd -r doh-server +getent passwd doh-server > /dev/null || \ + useradd -r -d %{_sharedstatedir}/home/doh-server -g doh-server \ + -s /sbin/nologin -c "%{name} - server" doh-server +exit 0 + +%pre client +test -d %{_sharedstatedir}/home || mkdir -p %{_sharedstatedir}/home +getent group doh-client > /dev/null || groupadd -r doh-client +getent passwd doh-client > /dev/null || \ + useradd -r -d %{_sharedstatedir}/home/doh-client -g doh-client \ + -s /sbin/nologin -c "%{name} - client" doh-client +exit 0 + +%post server +%systemd_post doh-server.service + +%preun server +%systemd_preun doh-server.service + +%postun server +%systemd_postun_with_restart doh-server.service + +%post client +%systemd_post doh-client.service + +%preun client +%systemd_preun doh-client.service + +%postun client +%systemd_postun_with_restart doh-client.service + +%files selinux +%{_datadir}/selinux/packages/doh_server.pp +%{_datadir}/selinux/devel/include/contrib/doh_server.if +%{_datadir}/selinux/packages/doh_client.pp +%{_datadir}/selinux/devel/include/contrib/doh_client.if + +%post selinux +semodule -n -i %{_datadir}/selinux/packages/doh_server.pp +semodule -n -i %{_datadir}/selinux/packages/doh_client.pp +if /usr/sbin/selinuxenabled ; then + /usr/sbin/load_policy + /usr/sbin/fixfiles -R %{name}-server restore + /usr/sbin/fixfiles -R %{name}-client restore +fi; +semanage -i - << __eof +port -a -t doh_server_port_t -p tcp "8053" +port -a -t doh_client_port_t -p udp "5380" +__eof +exit 0 + +%postun selinux +if [ $1 -eq 0 ]; then + semanage -i - << __eof +port -d -t doh_server_port_t -p tcp "8053" +port -d -t doh_client_port_t -p udp "5380" +__eof + + semodule -n -r doh_server + semodule -n -r doh_client + if /usr/sbin/selinuxenabled ; then + /usr/sbin/load_policy + /usr/sbin/fixfiles -R %{name}-server restore + /usr/sbin/fixfiles -R %{name}-client restore + fi; +fi; +exit 0 + +%changelog +* Tue Sep 10 2019 fuero 2.1.2-1 +- initial package + diff --git a/contrib/rpm/doh_client.fc b/contrib/rpm/doh_client.fc new file mode 100644 index 0000000..4c93c63 --- /dev/null +++ b/contrib/rpm/doh_client.fc @@ -0,0 +1,2 @@ +/usr/bin/doh-client -- gen_context(system_u:object_r:doh_client_exec_t,s0) +/usr/lib/systemd/system/doh-client.service -- gen_context(system_u:object_r:doh_client_unit_file_t,s0) diff --git a/contrib/rpm/doh_client.if b/contrib/rpm/doh_client.if new file mode 100644 index 0000000..339c5fa --- /dev/null +++ b/contrib/rpm/doh_client.if @@ -0,0 +1,103 @@ + +## policy for doh_client + +######################################## +## +## Execute doh_client_exec_t in the doh_client domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`doh_client_domtrans',` + gen_require(` + type doh_client_t, doh_client_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, doh_client_exec_t, doh_client_t) +') + +###################################### +## +## Execute doh_client in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`doh_client_exec',` + gen_require(` + type doh_client_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, doh_client_exec_t) +') +######################################## +## +## Execute doh_client server in the doh_client domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`doh_client_systemctl',` + gen_require(` + type doh_client_t; + type doh_client_unit_file_t; + ') + + systemd_exec_systemctl($1) + systemd_read_fifo_file_passwd_run($1) + allow $1 doh_client_unit_file_t:file read_file_perms; + allow $1 doh_client_unit_file_t:service manage_service_perms; + + ps_process_pattern($1, doh_client_t) +') + + +######################################## +## +## All of the rules required to administrate +## an doh_client environment +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`doh_client_admin',` + gen_require(` + type doh_client_t; + type doh_client_unit_file_t; + ') + + allow $1 doh_client_t:process { signal_perms }; + ps_process_pattern($1, doh_client_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 doh_client_t:process ptrace; + ') + + doh_client_systemctl($1) + admin_pattern($1, doh_client_unit_file_t) + allow $1 doh_client_unit_file_t:service all_service_perms; + optional_policy(` + systemd_passwd_agent_exec($1) + systemd_read_fifo_file_passwd_run($1) + ') +') diff --git a/contrib/rpm/doh_client.te b/contrib/rpm/doh_client.te new file mode 100644 index 0000000..e82017f --- /dev/null +++ b/contrib/rpm/doh_client.te @@ -0,0 +1,49 @@ +policy_module(doh_client, 1.0.0) + +######################################## +# +# Declarations +# + +type doh_client_t; +type doh_client_exec_t; +init_daemon_domain(doh_client_t, doh_client_exec_t) + +type doh_client_port_t; + +corenet_port(doh_client_port_t) + +type doh_client_unit_file_t; +systemd_unit_file(doh_client_unit_file_t) + +######################################## +# +# doh_client local policy +# +allow doh_client_t self:fifo_file rw_fifo_file_perms; +allow doh_client_t self:unix_stream_socket create_stream_socket_perms; + +allow doh_client_t self:capability net_bind_service; +allow doh_client_t self:process execmem; +allow doh_client_t self:tcp_socket { accept bind connect create getattr getopt listen read setopt write }; +allow doh_client_t self:udp_socket { bind connect create getattr read setopt write }; + +allow doh_client_t doh_client_exec_t:file execmod; +allow doh_client_t doh_client_port_t:tcp_socket name_bind; + +corenet_tcp_bind_dns_port(doh_client_t) +corenet_tcp_bind_generic_node(doh_client_t) +corenet_tcp_connect_http_port(doh_client_t) +corenet_udp_bind_dns_port(doh_client_t) +corenet_udp_bind_generic_node(doh_client_t) +corenet_udp_bind_generic_port(doh_client_t) +kernel_read_net_sysctls(doh_client_t) +kernel_search_network_sysctl(doh_client_t) +miscfiles_read_certs(doh_client_t) +sysnet_read_config(doh_client_t) + +domain_use_interactive_fds(doh_client_t) + +files_read_etc_files(doh_client_t) + +miscfiles_read_localization(doh_client_t) diff --git a/contrib/rpm/doh_server.fc b/contrib/rpm/doh_server.fc new file mode 100644 index 0000000..51a5694 --- /dev/null +++ b/contrib/rpm/doh_server.fc @@ -0,0 +1,2 @@ +/usr/bin/doh-server -- gen_context(system_u:object_r:doh_server_exec_t,s0) +/usr/lib/systemd/system/doh-server.service -- gen_context(system_u:object_r:doh_server_unit_file_t,s0) diff --git a/contrib/rpm/doh_server.if b/contrib/rpm/doh_server.if new file mode 100644 index 0000000..b38f9ae --- /dev/null +++ b/contrib/rpm/doh_server.if @@ -0,0 +1,122 @@ + +## policy for doh_server + +######################################## +## +## Execute doh_server_exec_t in the doh_server domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`doh_server_domtrans',` + gen_require(` + type doh_server_t, doh_server_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, doh_server_exec_t, doh_server_t) +') + +###################################### +## +## Execute doh_server in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`doh_server_exec',` + gen_require(` + type doh_server_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, doh_server_exec_t) +') +######################################## +## +## Execute doh_server server in the doh_server domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`doh_server_systemctl',` + gen_require(` + type doh_server_t; + type doh_server_unit_file_t; + ') + + systemd_exec_systemctl($1) + systemd_read_fifo_file_passwd_run($1) + allow $1 doh_server_unit_file_t:file read_file_perms; + allow $1 doh_server_unit_file_t:service manage_service_perms; + + ps_process_pattern($1, doh_server_t) +') + + +######################################## +## +## All of the rules required to administrate +## an doh_server environment +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`doh_server_admin',` + gen_require(` + type doh_server_t; + type doh_server_unit_file_t; + ') + + allow $1 doh_server_t:process { signal_perms }; + ps_process_pattern($1, doh_server_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 doh_server_t:process ptrace; + ') + + doh_server_systemctl($1) + admin_pattern($1, doh_server_unit_file_t) + allow $1 doh_server_unit_file_t:service all_service_perms; + optional_policy(` + systemd_passwd_agent_exec($1) + systemd_read_fifo_file_passwd_run($1) + ') +') + +######################################## +## +## Make a TCP connection to the vault_ocsp_responder port. +## +## +## +## Domain allowed access. +## +## +# +interface(`doh_server_connect',` + gen_require(` + type doh_server_port_t; + type $1; + ') + + allow $1 doh_server_port_t:tcp_socket name_connect; +') diff --git a/contrib/rpm/doh_server.te b/contrib/rpm/doh_server.te new file mode 100644 index 0000000..2f9e0e1 --- /dev/null +++ b/contrib/rpm/doh_server.te @@ -0,0 +1,42 @@ +policy_module(doh_server, 1.0.0) + +require { + class process execmem; + class tcp_socket { accept bind create read write getattr listen setopt connect getopt }; + class udp_socket { connect create getattr setopt read write }; + class file execmod; +} + +type doh_server_t; +type doh_server_exec_t; + +init_daemon_domain(doh_server_t, doh_server_exec_t) + +type doh_server_port_t; + +corenet_port(doh_server_port_t) + +type doh_server_unit_file_t; +systemd_unit_file(doh_server_unit_file_t) + +allow doh_server_t self:fifo_file rw_fifo_file_perms; +allow doh_server_t self:unix_stream_socket create_stream_socket_perms; +allow doh_server_t self:process execmem; +allow doh_server_t self:tcp_socket { accept read write bind create getattr listen setopt connect getopt}; +allow doh_server_t self:udp_socket { connect create getattr setopt read write }; + +allow doh_server_t doh_server_exec_t:file execmod; +allow doh_server_t doh_server_port_t:tcp_socket name_bind; + +domain_use_interactive_fds(doh_server_t) + +files_read_etc_files(doh_server_t) + +corenet_tcp_bind_generic_node(doh_server_t) +corenet_tcp_connect_dns_port(doh_server_t) +doh_server_connect(httpd_t) + +kernel_read_net_sysctls(doh_server_t) +kernel_search_network_sysctl(doh_server_t) + +miscfiles_read_localization(doh_server_t)